CLAIMS 



What is claimed is: 



1. An apparatus for providing a computer security firewall, comprising: 

an ASIC including a firewall engine with a first engine including a first set of 
rules for sorting incoming IP packets into initially allowed packets and initially denied 
packets, and a filter including a second set of rules for receiving and further sorting the 
initially denied packets! into allowed packets and denied packets. 

2. The apparatus o^ claim 1, wherein the filter dynamically generates the second 
set of rules. 

3. The apparatus of jplaim 2, wherein the first set of rules comprises fixed rules. 

4. The apparatus of claim 3, further comprising: 
a second engine fqr receiving and further processing the initially allowed 

packets. 

5. The apparatus of claim 4, wherein the second engine is capable of modifying 
some subset of the initially allowed packets. 

6. The apparatus of cliim 5, wherein the second engine comprises a dynamic 
analyzer for identifying initially allowed packets requiring network address translation, 
and a handler for providing network address translation. 

7. The apparatus of claim 5, wherein the second engine comprises a dynamic 
analyzer for sending a "reset" packet to a source IP address. 



8. A computer softwar^ product for providing a network security firewall, 
comprising: 

computer code for sfcrting incoming IP packets into initially allowed packets 



and initially denied packets; 
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computer code for extracting matching criteria from incoming IP packets; 



OQi 



computer co 
criteria; and 

computer coc 



e for dynamically generating rules using the extracted matching 



dynamically-generated rules. 



9. The computer 
sorting incoming IP 



10. The computer 
computer code 



for further sorting the initially denied packets using the 



software product of claim 8, wherein the computer code for 
ackets uses fixed rules. 



software product of claim 9, further comprising: 
for further sorting the initially allowed packets into allowed 



packets and packets requiring modification 



P 11. The computer 



for modifying control p ackets. 



oftware product of claim 10, further comprising computer code 



1 2 . The computer s 
modifying control pad 



Software product of claim 11, wherein the computer code for 
ets includes computer code for network address translation. 



13. 



The computer 
computer code 
denied packet. 



s Dftware product of claim 10, further comprising: 
-or generating and transmitting a "reset" packet in response to a 



14. A method for providing network computer security, comprising: 
receiving incoming IP packets at a firewall; 

sorting the incoming IP packets into initially allowed packets and initially 
denied packets; and J 

further sorting the initially denied packets into allowed and denied packets 
using dynamically-generated rules. 

15. The method of claim 14, wherein the step of sorting the incoming IP packets is 
performed using fixed rules. 
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16. The method of c|aim 15, further comprising the step of further sorting the 
initially allowed packets into allowed packets and packets requiring modification. 

17. The method of clk\m 16, further comprising the step of providing network 
address translation for packets requiring modification. 
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18. A method for providing network computer security, comprising: 
receiving incoming IP packets at a firewall; 

sorting the incoming IP packets into initially allowed packets and initially 
denied packets using a set c f fixed rules; 

extracting parameters from the incoming IP packets; 

using the extracted parameters to generate a set of dynamically-generated rules; 

and 

further sorting the initially denied packets into allowed and denied packets 
using the dynamically-generated rules. 



1 9. The method of claiix l 
initially allowed packets in<o 



18, further comprising the step of further sorting the 
allowed packets and packets requiring modification. 



20. The method of claim 1 9, further comprising the step of providing network 



t 



address translation for packets requiring modification 
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